Report - mesh.exe

Generic Malware Malicious Library UPX PE File PE64 OS Processor Check
ScreenShot
Created 2024.11.11 10:00 Machine s1_win7_x6401
Filename mesh.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
1
Behavior Score
4.0
ZERO API
VT API (file) 42 detected (Common, MeshAgent, Malicious, score, GenericKD, Unsafe, Attribute, HighConfidence, moderate confidence, FileRepMalware, Misc, CLOUD, Redcap, buhvh, Tool, RemoteAdmin, Detected, ABApplication, KSPP, Artemis, Mesh, Chgt, R002H09K824, PossibleThreat)
md5 0d6e405856f8687fb1a06645a85bb0f3
sha256 db8174175cec245f15f117503fd9e178307fb3763ea7e2e47541e80bfc953746
ssdeep 49152:PX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QxR:PlRsZ47/QXoHUOfAoj1x6xR
imphash fb0a8b4a81655f744a37af985e009476
impfuzzy 96:d77ozSj+V5zQiwgaT84tkImXFuUMwmxSlDbgGc+pR+DLOEVb0XI+Di8y91PrbnLo:BaBMiwgC2kwm0DbP+3g4+Di8urbLXMec
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

COMCTL32.dll
 0x140208150 InitCommonControlsEx
dbghelp.dll
 0x140208aa8 SymInitialize
 0x140208ab0 SymGetModuleBase64
 0x140208ab8 SymGetLineFromAddr64
 0x140208ac0 SymFunctionTableAccess64
 0x140208ac8 SymFromAddr
 0x140208ad0 StackWalk64
 0x140208ad8 MiniDumpWriteDump
IPHLPAPI.DLL
 0x1402082a8 GetAdaptersAddresses
 0x1402082b0 SendARP
 0x1402082b8 ConvertLengthToIpv4Mask
 0x1402082c0 GetAdaptersInfo
WS2_32.dll
 0x140208990 WSACloseEvent
 0x140208998 htons
 0x1402089a0 htonl
 0x1402089a8 gethostname
 0x1402089b0 ntohs
 0x1402089b8 ntohl
 0x1402089c0 WSAGetLastError
 0x1402089c8 ioctlsocket
 0x1402089d0 recv
 0x1402089d8 WSASetLastError
 0x1402089e0 send
 0x1402089e8 getsockname
 0x1402089f0 WSASocketW
 0x1402089f8 listen
 0x140208a00 closesocket
 0x140208a08 ind
 0x140208a10 accept
 0x140208a18 __WSAFDIsSet
 0x140208a20 setsockopt
 0x140208a28 socket
 0x140208a30 sendto
 0x140208a38 getsockopt
 0x140208a40 recvfrom
 0x140208a48 connect
 0x140208a50 shutdown
 0x140208a58 WSAIoctl
 0x140208a60 GetAddrInfoW
 0x140208a68 WSAResetEvent
 0x140208a70 WSAEventSelect
 0x140208a78 WSAStartup
 0x140208a80 WSACreateEvent
 0x140208a88 WSACleanup
 0x140208a90 FreeAddrInfoW
 0x140208a98 select
CRYPT32.dll
 0x140208160 CertFindCertificateInStore
 0x140208168 CertDuplicateCertificateContext
 0x140208170 CertDeleteCertificateFromStore
 0x140208178 CryptAcquireCertificatePrivateKey
 0x140208180 CertAddEncodedCertificateToStore
 0x140208188 CryptMsgClose
 0x140208190 CryptMsgUpdate
 0x140208198 CryptExportPublicKeyInfo
 0x1402081a0 CertCreateSelfSignCertificate
 0x1402081a8 CertFreeCertificateContext
 0x1402081b0 CryptMsgOpenToEncode
 0x1402081b8 CertAddCertificateContextToStore
 0x1402081c0 PFXExportCertStore
 0x1402081c8 CryptSignAndEncodeCertificate
 0x1402081d0 CertCloseStore
 0x1402081d8 CertStrToNameA
 0x1402081e0 CryptMsgGetParam
 0x1402081e8 CryptEncodeObject
 0x1402081f0 CertSetCertificateContextProperty
 0x1402081f8 CertGetCertificateContextProperty
 0x140208200 CryptMsgCalculateEncodedLength
 0x140208208 CertOpenStore
 0x140208210 CertStrToNameW
 0x140208218 CertEnumCertificatesInStore
gdiplus.dll
 0x140208ae8 GdipGetImageEncoders
 0x140208af0 GdiplusShutdown
 0x140208af8 GdipCloneImage
 0x140208b00 GdipAlloc
 0x140208b08 GdipDisposeImage
 0x140208b10 GdipFree
 0x140208b18 GdipGetImageEncodersSize
 0x140208b20 GdipLoadImageFromStream
 0x140208b28 GdipSaveImageToStream
 0x140208b30 GdiplusStartup
ncrypt.dll
 0x140208b40 NCryptCreatePersistedKey
 0x140208b48 NCryptFreeObject
 0x140208b50 NCryptSetProperty
 0x140208b58 BCryptCloseAlgorithmProvider
 0x140208b60 BCryptGenRandom
 0x140208b68 NCryptOpenStorageProvider
 0x140208b70 BCryptOpenAlgorithmProvider
 0x140208b78 NCryptFinalizeKey
KERNEL32.dll
 0x1402082d0 InitializeSListHead
 0x1402082d8 GetStartupInfoW
 0x1402082e0 RtlUnwindEx
 0x1402082e8 GetFullPathNameW
 0x1402082f0 GetStdHandle
 0x1402082f8 WriteFile
 0x140208300 LoadLibraryExA
 0x140208308 GetModuleFileNameW
 0x140208310 GetSystemPowerStatus
 0x140208318 OpenProcess
 0x140208320 MultiByteToWideChar
 0x140208328 Sleep
 0x140208330 GetLastError
 0x140208338 CloseHandle
 0x140208340 GetCurrentDirectoryW
 0x140208348 SetCurrentDirectoryW
 0x140208350 GetProcAddress
 0x140208358 SetEnvironmentVariableA
 0x140208360 CreateProcessW
 0x140208368 FreeLibrary
 0x140208370 WideCharToMultiByte
 0x140208378 GetCurrentThreadId
 0x140208380 GetModuleHandleA
 0x140208388 WaitForSingleObjectEx
 0x140208390 CreateThread
 0x140208398 QueueUserAPC
 0x1402083a0 OpenThread
 0x1402083a8 ReadFile
 0x1402083b0 LoadLibraryA
 0x1402083b8 SleepEx
 0x1402083c0 SetSystemPowerState
 0x1402083c8 GetCurrentProcess
 0x1402083d0 SetThreadExecutionState
 0x1402083d8 HeapFree
 0x1402083e0 HeapAlloc
 0x1402083e8 GetProcessHeap
 0x1402083f0 SystemTimeToFileTime
 0x1402083f8 GetSystemTime
 0x140208400 FileTimeToSystemTime
 0x140208408 SystemTimeToTzSpecificLocalTime
 0x140208410 QueryPerformanceCounter
 0x140208418 ReleaseSemaphore
 0x140208420 WaitForSingleObject
 0x140208428 CreateSemaphoreA
 0x140208430 CancelIo
 0x140208438 FindFirstFileW
 0x140208440 FindNextFileW
 0x140208448 RemoveDirectoryW
 0x140208450 GetFinalPathNameByHandleW
 0x140208458 GetDriveTypeA
 0x140208460 SetFilePointer
 0x140208468 FindFirstVolumeA
 0x140208470 FindClose
 0x140208478 CreateFileW
 0x140208480 GetVolumePathNamesForVolumeNameA
 0x140208488 GetFileAttributesExW
 0x140208490 ReadDirectoryChangesW
 0x140208498 FindNextVolumeA
 0x1402084a0 FindVolumeClose
 0x1402084a8 GetDiskFreeSpaceExA
 0x1402084b0 CreateEventA
 0x1402084b8 GetModuleHandleExA
 0x1402084c0 WaitForMultipleObjectsEx
 0x1402084c8 CreateNamedPipeA
 0x1402084d0 DisconnectNamedPipe
 0x1402084d8 CreateFileA
 0x1402084e0 CancelIoEx
 0x1402084e8 LocalFree
 0x1402084f0 ConnectNamedPipe
 0x1402084f8 SetConsoleMode
 0x140208500 GetConsoleMode
 0x140208508 SetConsoleOutputCP
 0x140208510 IsDebuggerPresent
 0x140208518 TerminateProcess
 0x140208520 GetTempPathW
 0x140208528 CancelSynchronousIo
 0x140208530 SetEvent
 0x140208538 ResetEvent
 0x140208540 IsProcessorFeaturePresent
 0x140208548 GetCurrentProcessId
 0x140208550 GetEnvironmentStrings
 0x140208558 FreeEnvironmentStringsA
 0x140208560 CopyFileW
 0x140208568 RtlCaptureContext
 0x140208570 SuspendThread
 0x140208578 ResumeThread
 0x140208580 DuplicateHandle
 0x140208588 GetTickCount64
 0x140208590 GetCurrentThread
 0x140208598 GetOverlappedResult
 0x1402085a0 GetThreadContext
 0x1402085a8 WTSGetActiveConsoleSessionId
 0x1402085b0 GetExitCodeProcess
 0x1402085b8 SetEndOfFile
 0x1402085c0 DeleteFileW
 0x1402085c8 SetFilePointerEx
 0x1402085d0 SetConsoleCtrlHandler
 0x1402085d8 FreeConsole
 0x1402085e0 LoadLibraryExW
 0x1402085e8 SetLastError
 0x1402085f0 GetFileType
 0x1402085f8 GetModuleHandleW
 0x140208600 SwitchToFiber
 0x140208608 DeleteFiber
 0x140208610 CreateFiber
 0x140208618 GetSystemTimeAsFileTime
 0x140208620 ConvertFiberToThread
 0x140208628 ConvertThreadToFiber
 0x140208630 GetEnvironmentVariableW
 0x140208638 ReadConsoleA
 0x140208640 ReadConsoleW
 0x140208648 EnterCriticalSection
 0x140208650 LeaveCriticalSection
 0x140208658 DeleteCriticalSection
 0x140208660 InitializeCriticalSectionAndSpinCount
 0x140208668 TlsAlloc
 0x140208670 TlsGetValue
 0x140208678 TlsSetValue
 0x140208680 TlsFree
 0x140208688 ExitProcess
 0x140208690 GetModuleHandleExW
 0x140208698 CreateDirectoryW
 0x1402086a0 GetConsoleCP
 0x1402086a8 MoveFileExW
 0x1402086b0 SetEnvironmentVariableW
 0x1402086b8 GetTimeZoneInformation
 0x1402086c0 SetStdHandle
 0x1402086c8 GetDriveTypeW
 0x1402086d0 PeekNamedPipe
 0x1402086d8 GetCommandLineA
 0x1402086e0 GetCommandLineW
 0x1402086e8 GetACP
 0x1402086f0 GetDateFormatW
 0x1402086f8 GetTimeFormatW
 0x140208700 CompareStringW
 0x140208708 LCMapStringW
 0x140208710 GetStringTypeW
 0x140208718 HeapReAlloc
 0x140208720 FlushFileBuffers
 0x140208728 WriteConsoleW
 0x140208730 GetCPInfo
 0x140208738 FindFirstFileExW
 0x140208740 SetUnhandledExceptionFilter
 0x140208748 UnhandledExceptionFilter
 0x140208750 RtlLookupFunctionEntry
 0x140208758 GetThreadId
 0x140208760 RtlVirtualUnwind
 0x140208768 IsValidCodePage
 0x140208770 GetOEMCP
 0x140208778 GetEnvironmentStringsW
 0x140208780 FreeEnvironmentStringsW
 0x140208788 RaiseException
 0x140208790 HeapSize
 0x140208798 RtlPcToFileHeader
 0x1402087a0 QueryPerformanceFrequency
 0x1402087a8 EncodePointer
USER32.dll
 0x1402087c8 EndDialog
 0x1402087d0 SetWindowTextW
 0x1402087d8 GetWindowPlacement
 0x1402087e0 ShowWindow
 0x1402087e8 GetDlgCtrlID
 0x1402087f0 SetWindowPlacement
 0x1402087f8 SetWindowTextA
 0x140208800 IsDlgButtonChecked
 0x140208808 GetDlgItem
 0x140208810 CheckDlgButton
 0x140208818 DialogBoxParamW
 0x140208820 EnableWindow
 0x140208828 MessageBeep
 0x140208830 ExitWindowsEx
 0x140208838 GetUserObjectInformationA
 0x140208840 EnumDisplayMonitors
 0x140208848 GetSystemMetrics
 0x140208850 SetThreadDesktop
 0x140208858 GetThreadDesktop
 0x140208860 CloseDesktop
 0x140208868 BlockInput
 0x140208870 GetMonitorInfoA
 0x140208878 OpenInputDesktop
 0x140208880 GetKeyState
 0x140208888 GetMessageA
 0x140208890 GetMessageExtraInfo
 0x140208898 SendMessageW
 0x1402088a0 LoadCursorA
 0x1402088a8 DestroyWindow
 0x1402088b0 GetDC
 0x1402088b8 PostMessageA
 0x1402088c0 GetIconInfo
 0x1402088c8 CallNextHookEx
 0x1402088d0 GetCursorInfo
 0x1402088d8 SetWindowsHookExA
 0x1402088e0 MapVirtualKeyA
 0x1402088e8 GetForegroundWindow
 0x1402088f0 UnhookWindowsHookEx
 0x1402088f8 DefWindowProcA
 0x140208900 CreateWindowExA
 0x140208908 TranslateMessage
 0x140208910 UnregisterClassA
 0x140208918 DrawIconEx
 0x140208920 SetWinEventHook
 0x140208928 RegisterClassExA
 0x140208930 UnhookWinEvent
 0x140208938 SetForegroundWindow
 0x140208940 ReleaseDC
 0x140208948 SendInput
 0x140208950 SetProcessDPIAware
 0x140208958 MessageBoxW
 0x140208960 GetUserObjectInformationW
 0x140208968 GetProcessWindowStation
 0x140208970 DispatchMessageA
 0x140208978 CreateWindowExW
 0x140208980 GetWindowRect
GDI32.dll
 0x140208228 SetBkMode
 0x140208230 SetBkColor
 0x140208238 CreateSolidBrush
 0x140208240 BitBlt
 0x140208248 StretchBlt
 0x140208250 DeleteDC
 0x140208258 SetStretchBltMode
 0x140208260 CreateCompatibleBitmap
 0x140208268 GetObjectA
 0x140208270 SelectObject
 0x140208278 CreateCompatibleDC
 0x140208280 GetDIBits
 0x140208288 DeleteObject
 0x140208290 SetTextColor
 0x140208298 GetStockObject
ADVAPI32.dll
 0x140208000 CloseServiceHandle
 0x140208008 AllocateAndInitializeSid
 0x140208010 CryptEnumProvidersW
 0x140208018 CryptSignHashW
 0x140208020 CryptDestroyHash
 0x140208028 CryptCreateHash
 0x140208030 CryptDecrypt
 0x140208038 CryptExportKey
 0x140208040 CryptGetUserKey
 0x140208048 CryptGetProvParam
 0x140208050 CryptSetHashParam
 0x140208058 CryptAcquireContextW
 0x140208060 ReportEventW
 0x140208068 RegisterEventSourceW
 0x140208070 DeregisterEventSource
 0x140208078 StartServiceCtrlDispatcherA
 0x140208080 RegCreateKeyW
 0x140208088 RegSetValueExA
 0x140208090 RegDeleteKeyA
 0x140208098 RegCloseKey
 0x1402080a0 RegOpenKeyExA
 0x1402080a8 OpenProcessToken
 0x1402080b0 InitiateSystemShutdownA
 0x1402080b8 LookupPrivilegeValueA
 0x1402080c0 AdjustTokenPrivileges
 0x1402080c8 CryptReleaseContext
 0x1402080d0 RegSetValueExW
 0x1402080d8 CryptDestroyKey
 0x1402080e0 InitializeSecurityDescriptor
 0x1402080e8 SetEntriesInAclA
 0x1402080f0 SetSecurityDescriptorDacl
 0x1402080f8 DuplicateTokenEx
 0x140208100 CreateProcessAsUserW
 0x140208108 SetTokenInformation
 0x140208110 OpenServiceA
 0x140208118 CheckTokenMembership
 0x140208120 FreeSid
 0x140208128 RegisterServiceCtrlHandlerExA
 0x140208130 OpenSCManagerA
 0x140208138 SetServiceStatus
 0x140208140 QueryServiceStatus
SHELL32.dll
 0x1402087b8 ShellExecuteExW
ole32.dll
 0x140208b88 CoInitializeEx
 0x140208b90 CreateStreamOnHGlobal
 0x140208b98 CoUninitialize

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure